AWS Certified Developer – Associate — Question 399

A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates.
What should the developer do to meet these requirements?

Answer options

• A. Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table.
• B. Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
• C. Store the key by using AWS Key Management Service (AWS KMS). Create the DynamoDB table with default encryption. Include the kms:Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB software development kit (SDK).
• D. Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.

Correct answer: B

Explanation

To encrypt DynamoDB data at rest using a key generated by the company, an AWS KMS customer managed key must be used. AWS managed keys (Option D) are created and managed by AWS on the customer's behalf rather than being generated by the company. Option A and Option C are incorrect because DynamoDB natively integrates with AWS KMS to handle encryption at rest seamlessly without needing application-level encryption logic or custom SDK parameters.